One of the biggest concerns that shops looking to do DaaS have to face is cloud security.
Desktop as a service (DaaS) providers say that their services allow companies to deploy hosted desktops more easily, efficiently, cheaply and securely than they could in-house, and there may be some truth to that. Being able to centralize management on a large scale certainly has its advantages. And by offering services en masse, providers can dedicate the necessary resources to implement higher levels of security than what organizations can often achieve on their own, especially small or medium-sized businesses.
But IT administrators and decision makers should take security claims with a grain of salt; even the improved security that VDI promises is a product of the systems and processes that admins put in place to protect virtual environments. There isn't anything about VDI that's inherently more secure than its physical counterpart. Similarly, DaaS isn't any less susceptible to security vulnerabilities than other cloud services.
Trusting DaaS providers' IT staff
Managing a large collection of desktops is no small undertaking, and managing an in-house VDI environment can be even more difficult. Some organizations turn to DaaS so they can offload many of their administrative headaches to a cloud service that already has the infrastructure and expertise necessary to manage virtual desktops. But as part of that deal, admins must give up a significant amount of control.
When shops hand the desktop management reins to their DaaS provider, they have to put their trust in the service's IT staff to implement a secure environment, which is a complex process. But what happens if the provider isn't diligent?
Technicians might implement poorly designed application programming interfaces or unsafe apps. They might accidentally misconfigure the hypervisor and virtual machines (VMs). They might deploy an ineffective anti-malware tool across the entire system. Given the complexities of the infrastructure needed for DaaS -- including multi-tenancy -- it can be too late before anyone realizes something is amiss.
The service must be able to support multiple types of endpoints, such as desktops, laptops, smartphones and tablets. All these devices connect to the DaaS provider via the Internet, which means the provider's staff must account for the ports, connections, firewalls, transport protocols and all the other components necessary to facilitate secure data transfers.
More cloud security concerns
Unfortunately, a poorly designed and implemented infrastructure is only one of the risks that come with doing DaaS. Companies trust their DaaS providers to keep operations running in a safe and secure manner. But it's easy to imagine that some providers could fail to be vigilant in all their tasks at all times.
Providers could, for example, fail to perform system audits, apply security patches or maintain virus protection across all systems. They might also make decisions based on considerations other than security, such as foregoing a malware threat analysis to avoid negatively affecting performance.
Organizations that turn to DaaS must also trust that all the people who work for the service provider are reliable, particularly those who have direct access to the VDI environments. Have employee references been verified? Background checks performed? Where do encryption keys reside and who can access them?
Ideally, DaaS providers will have extensive security policies for its internal employees. That said, even workers with the best intentions can be the victims of cybercrime.
For example, JPMorgan Chase reports that 76 million households and seven million small businesses have been affected by the latest cyberattack. Hackers gained access to a Web-development server by using an employee's login credentials. With those credentials, the hackers could navigate freely through the bank's secure network.
Security pundits speculate that the stolen data will be used to launch extensive phishing campaigns against those compromised households and businesses. If a DaaS infrastructure were compromised in such a way, those subscribing to the service could be put at significant risk.
Another big fear when turning to a cloud service such as DaaS is what to do if a provider goes out of business. It's not just loss of productivity that becomes a concern, but also what happens to that secure infrastructure and the VMs it supports. A data center must be protected at all times from both physical attacks and those coming through cyberspace because any lapse in that protection can result in irreparable damage. There is no telling how the servers are protected if a company stops paying its bills. Even if data at rest is encrypted, you might still have a warehouse full of running machines that hackers could infiltrate.